4 posts tagged with "security"

This article describes how to use a SSH CA to authenticate to SSH servers. This is particularly useful when you have a lot of servers to manage and you want to avoid the hassle of managing a lot of SSH keys.

The basic idea is to have a CA (Certificate Authority) that will sign the public keys of the users. Then, the users will be able to authenticate to the servers using their signed public key. This way, you don't have to manage the public keys of the users on the servers, you only have to manage the public keys of the CA. You can also limit the validity of the signed public keys to a certain amount of time or to a certain set of servers and users.

Using [OpenSource][opensource-wikipedia] software written by unkown people sometimes can be a little scary. Even more when I deploy them I a production environment in my company. On my case, I have created a brand new [Kubernetes][kubernetes-website] cluster to host some private services on my local network and I wanted to be sure that they don't do anything malicious on my network.

Now that every web service encourage you, more and more, to use [MFA][mfa-wikipedia] to secure your account, one of them is used most than others : [Time-based one-time password or TOTP][totp-wikipedia] generate a unique code of 6 or more numbers to enter just after typing your password.

The server or web app allowing to setup [TOTP][totp-wikipedia] give a [QRCode][qrcode-wikipedia] to scan (or a [Base32][rfc-4648] string) to configure in a [TOTP][totp-wikipedia] generator app like [Microsoft Authenticator][ms-authenticator-site], [Google Authenticator][google-authenticator-site], [Bitwarden][bitwarden-site] or more.

We all use it, but how does it work ? Is it secure ? Is my account secure when using third-party [TOTP][totp-wikipedia] generator ??

I'm currently hosting some private web services accessible from internet. In order to protect those apps, I needed a very secure way to protect the access to them.

As you may already know, there are tons of bots that continuously scan all public internet IPs for potential vulnerabilities. From open ports, insecure web services or security breach. There are private organizations that allow to discover those vulnerabilities like [Shodan][shodan-website]. In my particular case, this is the only information that they could collect from my IP gateway :